Add visibility check in context path #26

Merged
floatingghost merged 6 commits from context-path-leak into develop 2022-06-29 09:34:02 +00:00
5 changed files with 45 additions and 3 deletions

View file

@ -16,7 +16,9 @@ pipeline:
glibc:
when:
event:
- tag
- push
branch:
- develop
secrets:
- SCW_ACCESS_KEY
- SCW_SECRET_KEY
@ -44,7 +46,9 @@ pipeline:
musl:
when:
event:
- tag
- push
branch:
- develop
secrets:
- SCW_ACCESS_KEY
- SCW_SECRET_KEY

View file

@ -11,6 +11,7 @@ pipeline:
when:
event:
- push
- pull_request
environment:
MIX_ENV: test
commands:
@ -25,6 +26,7 @@ pipeline:
when:
event:
- push
- pull_request
environment:
MIX_ENV: test
POSTGRES_DB: pleroma_test

View file

@ -97,6 +97,7 @@
"http",
"dat",
"dweb",
"gopher",
"hyper",
"ipfs",
"ipns",

View file

@ -384,11 +384,13 @@ def reblogged_by(%{assigns: %{user: user}} = conn, %{id: id}) do
def context(%{assigns: %{user: user}} = conn, %{id: id}) do
with %Activity{} = activity <- Activity.get_by_id(id) do
activities =
ActivityPub.fetch_activities_for_context(activity.data["context"], %{
activity.data["context"]
|> ActivityPub.fetch_activities_for_context(%{
blocking_user: user,
user: user,
exclude_id: activity.id
})
|> Enum.filter(fn activity -> Visibility.visible_for_user?(activity, user) end)
render(conn, "context.json", activity: activity, activities: activities, user: user)
end

View file

@ -1810,6 +1810,39 @@ test "context" do
} = response
end
test "context when restrict_unauthenticated is on" do
user = insert(:user)
remote_user = insert(:user, local: false)
{:ok, %{id: id1}} = CommonAPI.post(user, %{status: "1"})
{:ok, %{id: id2}} = CommonAPI.post(user, %{status: "2", in_reply_to_status_id: id1})
{:ok, %{id: id3}} =
CommonAPI.post(remote_user, %{status: "3", in_reply_to_status_id: id2, local: false})
response =
build_conn()
|> get("/api/v1/statuses/#{id2}/context")
|> json_response_and_validate_schema(:ok)
assert %{
"ancestors" => [%{"id" => ^id1}],
"descendants" => [%{"id" => ^id3}]
} = response
clear_config([:restrict_unauthenticated, :activities, :local], true)
response =
build_conn()
|> get("/api/v1/statuses/#{id2}/context")
|> json_response_and_validate_schema(:ok)
assert %{
"ancestors" => [],
"descendants" => []
} = response
end
test "favorites paginate correctly" do
%{user: user, conn: conn} = oauth_access(["read:favourites"])
other_user = insert(:user)